ci: add Terraform to configure Scalingo and MEP

DNUM-SocialGouv · Sep 25, 2023 · be04a91 · be04a91
1 parent 0b19cbd
commit be04a91
Show file tree

Hide file tree

Showing 17 changed files with 489 additions and 24 deletions.
diff --git a/.env.scalingo b/.env.scalingo
@@ -0,0 +1,29 @@
+# Configuration de NPM
+NODE_MODULES_CACHE="${NODE_MODULES_CACHE:-true}"
+NPM_CONFIG_PRODUCTION="${NPM_CONFIG_PRODUCTION:-true}"
+
+# Configuration de Strapi
+DATABASE_URL='$SCALINGO_POSTGRESQL_URL'
+ADMIN_JWT_SECRET="${ADMIN_JWT_SECRET}"
+API_TOKEN_SALT="${ADMIN_JWT_SECRET}"
+APP_KEYS="${APP_KEYS}"
+JWT_SECRET="${JWT_SECRET}"
+STRAPI_TELEMETRY_DISABLED="${STRAPI_TELEMETRY_DISABLED:-true}"
+
+# Minio utilisé pour le stockage des médias
+MINIO_ACCESS_KEY="${MINIO_ACCESS_KEY}"
+MINIO_BUCKET="${MINIO_BUCKET}"
+MINIO_ENDPOINT="${MINIO_ENDPOINT}"
+MINIO_SECRET_KEY="${MINIO_SECRET_KEY}"
+
+# MeiliSearch
+PLUGIN_MEILISEARCH_API_KEY="${PLUGIN_MEILISEARCH_API_KEY}"
+PLUGIN_MEILISEARCH_URL="${PLUGIN_MEILISEARCH_URL}"
+MEILISEARCH_BATCH_SIZE="${MEILISEARCH_BATCH_SIZE:-100}"
+
+# Sentry
+SENTRY_DSN="${SENTRY_DSN}"
+SENTRY_ENVIRONMENT="${SENTRY_ENVIRONMENT}" # "production", "recette" or "dev"
+
+# Variables auto-configurées par Scalingo :
+# - SCALINGO_POSTGRESQL_URL
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,4 +1,7 @@
 {
   "enabled": true,
-  "extends": ["github>SocialGouv/renovate-config"]
+  "extends": ["github>SocialGouv/renovate-config"],
+  "nvm": {
+    "enabled": true
+  }
 }
diff --git a/.github/workflows/mise-en-production.yml b/.github/workflows/mise-en-production.yml
@@ -0,0 +1,68 @@
+name: Mise en production
+
+on:
+  workflow_dispatch:
+    inputs:
+      purge_cloudflare_cache:
+        description: 'Faut-il vider le cache Cloudflare après le déploiement ?'
+        type: boolean
+        default: false
+
+jobs:
+  backup:
+    name: Sauvegarder la base de données PostgreSQL
+    runs-on: ubuntu-latest
+    environment:
+      name: scalingo-production
+      url: https://www.1jeune1solution.gouv.fr
+    steps:
+      - name: Configurer la CLI Scalingo
+        uses: scalingo-community/[email protected]
+        with:
+          api_token: ${{ secrets.SCALINGO_API_TOKEN }}
+          region: ${{ vars.SCALINGO_REGION }}
+          app_name: ${{ secrets.TF_VAR_NOM_DE_L_APPLICATION }}
+      - name: Créer une sauvegarde de la base PostgreSQL Scalingo
+        run: |
+          POSTGRESQL_ADDON_ID=$(scalingo addons | grep -i postgresql | awk 'BEGIN{FS=" [|] "}{print $2}')
+          scalingo backups-create --addon $POSTGRESQL_ADDON_ID
+
+  terraform:
+    uses: DNUM-SocialGouv/1j1s-front/.github/workflows/terraform-template.yml@main
+    secrets: inherit
+    with:
+      apply: true
+      environnement_name: scalingo-production
+      environnement_url: https://www.1jeune1solution.gouv.fr
+    concurrency: terraform-state-production # Evite les conflits sur le state Terraform
+
+  deployment:
+    name: Déployer le code sur Scalingo
+    needs: [terraform, backup]
+    runs-on: ubuntu-latest
+    environment:
+      name: scalingo-production
+      url: https://www.1jeune1solution.gouv.fr
+    steps:
+      - name: Configurer la CLI Scalingo
+        uses: scalingo-community/[email protected]
+        with:
+          api_token: ${{ secrets.SCALINGO_API_TOKEN }}
+          region: ${{ vars.SCALINGO_REGION }}
+          app_name: ${{ secrets.TF_VAR_NOM_DE_L_APPLICATION }}
+      - name: Déployer le code sur Scalingo
+        run: |
+          scalingo integration-link-manual-deploy main
+
+  cloudflare:
+    name: Purger le cache Cloudflare
+    needs: scalingo
+    runs-on: ubuntu-latest
+    if: ${{ inputs.purge_cloudflare_cache == true }}
+
+    steps:
+      - name: Purger le cache Cloudflare
+        uses: nathanvaughn/[email protected]
+        with:
+            cf_zone: ${{ secrets.CLOUDFLARE_ZONE_ID }}
+            cf_auth: ${{ secrets.CLOUDFLARE_API_TOKEN }}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -1,8 +1,14 @@
+name: release-please
+
 on:
   push:
     branches:
       - main
-name: release-please
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
@@ -11,3 +17,4 @@ jobs:
         with:
           release-type: node
           package-name: release-please-action
+          changelog-types: '[{"type":"feat","section":"✨ Nouvelles fonctionnalités","hidden":false},{"type":"fix","section":"🐛 Corrections de bogues","hidden":false},{"type":"chore","section":"👷 Autres changements","hidden":false},{"type":"ci","section":"👷 Autres changements","hidden":false},{"type":"refacto","section":"👷 Autres changements","hidden":false},{"type":"build","section":"👷 Autres changements","hidden":false},{"type":"docs","section":"📚 Documentation","hidden":false}]'
diff --git a/.github/workflows/test-ci.yml → .github/workflows/run-unit-tests.yml b/.github/workflows/test-ci.yml → .github/workflows/run-unit-tests.yml
@@ -1,17 +1,14 @@
-name: Test
+name: Tests unitaires
 on: [push]
 jobs:
-  Test:
-    if: "!contains(github.event.head_commit.message, 'WIP')"
+  tests-unitaires:
+    if: ${{ !contains(github.event.head_commit.message, 'WIP') }}
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18.12.1]
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
-          node-version: ${{matrix.node-version}}
+          node-version-file: ".nvmrc"
           cache: 'npm'
       - run: npm ci
       - run: npm test
diff --git a/.github/workflows/terraform-pr.yml b/.github/workflows/terraform-pr.yml
@@ -0,0 +1,24 @@
+name: Simulation de déploiement Terraform
+
+# Exécute le plan uniquement quand des modifications sont apportées
+# - aux fichiers Terraform
+# - aux variables d'environnement
+# dans une pull request
+on:
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/terraform-*.yml'
+      - '.env.scalingo'
+
+jobs:
+  # Quand le job est exécuté sur une pull request le "plan" s'éxécute sur la recette
+  # sauf si la pull request est générée par release-please, auquel cas le "plan" s'éxécute sur la production
+  terraform_plan:
+    uses: DNUM-SocialGouv/1j1s-front/.github/workflows/terraform-template.yml@main
+    secrets: inherit
+    with:
+      plan: true
+      environnement_name: ${{ startsWith(github.head_ref, 'release-please--') && 'scalingo-production' || 'scalingo-recette' }}
+      environnement_url: ${{ startsWith(github.head_ref, 'release-please--') && 'https://www.1jeune1solution.gouv.fr' || 'https://recette.1jeune1solution.gouv.fr' }}
diff --git a/.github/workflows/terraform-recette.yml b/.github/workflows/terraform-recette.yml
@@ -0,0 +1,19 @@
+name: Déploiement en Recette
+
+# Déploie le code Terraform lors de chaque commit/merge sur la branche "main"
+# une fois que c'est réussi, normalement l'intégration Github<=>Scalingo automatique va déployer
+# la branche main sur l'app 1j1s-front (qui correspond à la recette)
+# c'est pour ça qu'on ne déploie pas Scalingo ici
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  recette:
+    uses: DNUM-SocialGouv/1j1s-front/.github/workflows/terraform-template.yml@main
+    secrets: inherit
+    with:
+      apply: true
+      environnement_name: scalingo-recette
+      environnement_url: https://recette.1jeune1solution.gouv.fr
+    concurrency: terraform-state-recette # Evite les conflits sur le state Terraform
diff --git a/.gitignore b/.gitignore
@@ -107,6 +107,7 @@ coverage
 ############################
 
 .env
+.env.*
 license.txt
 exports
 *.cache
@@ -119,3 +120,9 @@ build
 ############################
 tmp
 .nyc_output
+
+############################
+# Terraform
+############################
+.terraform
+*.tfstate
diff --git a/config/database.ts b/config/database.ts
@@ -1,13 +1,17 @@
-export default ({ env }) => ({
-  connection: {
-    client: "postgres",
+export default ({ env }) => {
+  const databaseURL = env("DATABASE_URL", "postgres://database-user:[email protected]:5432/cms-principal?sslmode=prefer");
+
+  return {
     connection: {
-      host: env("DATABASE_HOST", "127.0.0.1"),
-      port: env.int("DATABASE_PORT", 5432),
-      database: env("DATABASE_NAME", "cms-principal"),
-      user: env("DATABASE_USERNAME", "database-user"),
-      password: env("DATABASE_PASSWORD", "database-password"),
-      ssl: env.bool("DATABASE_SSL", false),
+      client: "postgres",
+      connection: {
+        host: databaseURL.hostname,
+        port: databaseURL.port,
+        database: databaseURL.pathname.substr(1),
+        user: databaseURL.username,
+        password: databaseURL.password,
+        ssl: env.bool("DATABASE_SSL", false),
+      },
     },
-  },
-});
+  }
+};
diff --git a/config/sentry/index.ts b/config/sentry/index.ts
@@ -4,7 +4,7 @@ export default (env) => ({
     dsn: env("SENTRY_DSN"),
     init: {
       release: `${env("npm_package_name")}@${env("npm_package_version")}`,
-      environment: env("NODE_ENV")
+      environment: env("SENTRY_ENVIRONMENT", "dev")
     }
   },
 })
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "name": "1j1s-main-cms",
   "private": true,
   "version": "1.21.5",
-  "description": "1 jeune 1 solution main CMS ",
+  "description": "CMS agrégeant les données pour le site 1jeune1solution.gouv.fr",
   "scripts": {
     "docker:populate": "./populate-with-recette-data.sh",
     "docker:start": "docker-compose --env-file=.env.docker up --build -d && sleep 5 && open http://localhost:1337/admin",
@@ -47,8 +47,7 @@
     "uuid": "c8583f78-6df0-4091-8734-ede822e386b8"
   },
   "engines": {
-    "node": "^16.20.0",
-    "npm": "^9.7.1"
+    "node": "^18.12.1"
   },
   "license": "MIT"
 }
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl